Security researchers at Trend Micro have issued a warning about an infostealer that pretends to be a ChatGPT Windows desktop client. The fake version can extract Chrome login data from the browser’s saved credentials folder. While ChatGPT has not released an official desktop client, the bogus version looks similar to what users might expect.
The infostealer is being distributed via a zip archive containing an executable file named ChatGPT For Windows Setup 1.0.0.exe. During installation, the malware runs in the background and starts extracting Chrome login data using Havelock, a tool that extracts and decrypts accounts, cookies, and history from Chromium-based browsers.
The fake ChatGPT client creates an AutoStart entry in the registry to ensure that the infostealer runs every time the infected machine starts up.
It also has the ability to hide its console window and extract web session cookies via sqlite3. Its many dependencies suggest it has additional capabilities. The grabbed data is exfiltrated via Telegram. The infostealer has the ability to connect to various domains, including api.telegram.org, facebook.com, and api.aiforopen.com.
Trend Micro discovered that the bogus ChatGPT client has similarities to a malware strain called DUCKTAIL, which is an infostealer that targets Facebook Business accounts. Cybercriminals have been exploiting users’ desire for ChatGPT desktop and mobile apps to deliver different types of malware.
Users are advised to avoid downloading applications from untrusted or unauthorized sources. Since ChatGPT has no official desktop client or mobile app, claims or offers of such products should be viewed with caution.
